Date: Saturday, February 25, 2017 @ 14:12:40 Author: eworm Revision: 289530
replace own with upstream patches Added: openvpn/trunk/0001-Clean-up-plugin-path-handling.patch openvpn/trunk/0003-systemd-Move-the-READY-1-signalling-to-an-earlier-po.patch Modified: openvpn/trunk/0002-do-not-race-on-RuntimeDirectory.patch openvpn/trunk/PKGBUILD Deleted: openvpn/trunk/0001-plugin.patch openvpn/trunk/0003-fix-timeout-in-non-TLS-mode-with-systemd.patch -----------------------------------------------------------------+ 0001-Clean-up-plugin-path-handling.patch | 217 ++++++++ 0001-plugin.patch | 46 - 0002-do-not-race-on-RuntimeDirectory.patch | 249 +++++++++- 0003-fix-timeout-in-non-TLS-mode-with-systemd.patch | 59 -- 0003-systemd-Move-the-READY-1-signalling-to-an-earlier-po.patch | 124 ++++ PKGBUILD | 24 6 files changed, 576 insertions(+), 143 deletions(-) Added: 0001-Clean-up-plugin-path-handling.patch =================================================================== --- 0001-Clean-up-plugin-path-handling.patch (rev 0) +++ 0001-Clean-up-plugin-path-handling.patch 2017-02-25 14:12:40 UTC (rev 289530) @@ -0,0 +1,217 @@ +From 4590c3831d0400096fab08aa1ed7f909da870ced Mon Sep 17 00:00:00 2001 +From: Christian Hesse <m...@eworm.de> +Date: Wed, 25 Jan 2017 21:19:47 +0100 +Subject: [PATCH 1/2] Clean up plugin path handling + +Drop --with-plugindir, instead use an environment variable PLUGINDIR +to specify the plugin directory. + +This puts a define into include/openvpn-plugin.h.in which has the plugin +directory. + +The configure script does not know about the final plugin path. Thus we +have to make Make generate the final header file for us. + +As the path is always available remove the compile time condition (and +dead code) from src/openvpn/plugin.c. + +v2: The configure script can not evaluate the final $libdir path. So + use make to create a header file on the containing the final path. + +v3: Fix whitespace errors and gitignore location. + +v4: No extra header file, generate src/openvpn/plugin.h on the fly. + Remove condition and dead code. + +v5: Move the define to include/openvpn-plugin.h.in and let make generate + the final header file. + +Signed-off-by: Christian Hesse <m...@eworm.de> +Acked-by: David Sommerseth <dav...@openvpn.net> +Message-Id: <20170125201947.17197-1-l...@eworm.de> +URL: http://www.mail-archive.com/search?l=mid&q=20170125201947.17197-1-l...@eworm.de +Signed-off-by: David Sommerseth <dav...@openvpn.net> +--- + configure.ac | 16 +++++++--------- + include/Makefile.am | 7 +++++++ + include/openvpn-plugin.h.in | 2 ++ + src/openvpn/plugin.c | 10 +--------- + 4 files changed, 17 insertions(+), 18 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 79fb1ba..f305c54 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -38,7 +38,7 @@ AC_DEFINE([OPENVPN_VERSION_MINOR], [PRODUCT_VERSION_MINOR], [OpenVPN minor versi + AC_DEFINE([OPENVPN_VERSION_PATCH], ["PRODUCT_VERSION_PATCH"], [OpenVPN patch level - may be a string or integer]) + + AC_CONFIG_AUX_DIR([.]) +-AC_CONFIG_HEADERS([config.h include/openvpn-plugin.h]) ++AC_CONFIG_HEADERS([config.h]) + AC_CONFIG_SRCDIR([src/openvpn/syshead.h]) + AC_CONFIG_MACRO_DIR([m4]) + +@@ -301,13 +301,12 @@ AC_ARG_WITH( + [with_crypto_library="openssl"] + ) + +-AC_ARG_WITH( +- [plugindir], +- [AS_HELP_STRING([--with-plugindir], [plugin directory @<:@default=LIBDIR/openvpn@:>@])], +- , +- [with_plugindir="\$(libdir)/openvpn/plugins"] +-) +- ++AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory @<:@default=LIBDIR/openvpn/plugins@:>@]) ++if test -n "${PLUGINDIR}"; then ++ plugindir="${PLUGINDIR}" ++else ++ plugindir="\${libdir}/openvpn/plugins" ++fi + + AC_DEFINE_UNQUOTED([TARGET_ALIAS], ["${host}"], [A string representing our host]) + case "$host" in +@@ -1284,7 +1283,6 @@ AM_CONDITIONAL([ENABLE_PLUGIN_DOWN_ROOT], [test "${enable_plugin_down_root}" = " + AM_CONDITIONAL([ENABLE_CRYPTO], [test "${enable_crypto}" = "yes"]) + AM_CONDITIONAL([HAVE_LD_WRAP_SUPPORT], [test "${have_ld_wrap_support}" = "yes"]) + +-plugindir="${with_plugindir}" + sampledir="\$(docdir)/sample" + AC_SUBST([plugindir]) + AC_SUBST([sampledir]) +diff --git a/include/Makefile.am b/include/Makefile.am +index a52c427..37962a6 100644 +--- a/include/Makefile.am ++++ b/include/Makefile.am +@@ -16,3 +16,10 @@ MAINTAINERCLEANFILES = \ + include_HEADERS = \ + openvpn-plugin.h \ + openvpn-msg.h ++ ++openvpn-plugin.h: openvpn-plugin.h.in Makefile ++ $(AM_V_GEN)sed -e 's|\@PLUGINDIR\@|$(plugindir)|' \ ++ -e 's|\@OPENVPN_VERSION_MAJOR\@|$(OPENVPN_VERSION_MAJOR)|' \ ++ -e 's|\@OPENVPN_VERSION_MINOR\@|$(OPENVPN_VERSION_MINOR)|' \ ++ -e 's|\@OPENVPN_VERSION_PATCH\@|$(OPENVPN_VERSION_PATCH)|' \ ++ $< > $@.tmp && mv $@.tmp $@ +diff --git a/include/openvpn-plugin.h.in b/include/openvpn-plugin.h.in +index 0b30352..a084fc1 100644 +--- a/include/openvpn-plugin.h.in ++++ b/include/openvpn-plugin.h.in +@@ -27,6 +27,8 @@ + + #define OPENVPN_PLUGIN_VERSION 3 + ++#define PLUGIN_LIBDIR "@PLUGINDIR@" ++ + #ifdef ENABLE_CRYPTO + #ifdef ENABLE_CRYPTO_MBEDTLS + #include <mbedtls/x509_crt.h> +diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c +index e530c0c..f777027 100644 +--- a/src/openvpn/plugin.c ++++ b/src/openvpn/plugin.c +@@ -234,23 +234,15 @@ plugin_init_item(struct plugin *p, const struct plugin_option *o) + #ifndef _WIN32 + + p->handle = NULL; +-#if defined(PLUGIN_LIBDIR) ++ + if (!absolute_pathname(p->so_pathname)) + { + char full[PATH_MAX]; + + openvpn_snprintf(full, sizeof(full), "%s/%s", PLUGIN_LIBDIR, p->so_pathname); + p->handle = dlopen(full, RTLD_NOW); +-#if defined(ENABLE_PLUGIN_SEARCH) +- if (!p->handle) +- { +- rel = true; +- p->handle = dlopen(p->so_pathname, RTLD_NOW); +- } +-#endif + } + else +-#endif + { + rel = !absolute_pathname(p->so_pathname); + p->handle = dlopen(p->so_pathname, RTLD_NOW); +From 631812fe29c69d0034628ab8321cb4016cb4fc2d Mon Sep 17 00:00:00 2001 +From: Christian Hesse <m...@eworm.de> +Date: Fri, 27 Jan 2017 09:49:27 +0100 +Subject: [PATCH 2/2] plugin: Remove GNUism in openvpn-plugin.h generation + +The plugin path handling cleanup (4590c383) introduced GNUism and broke +builds on system not using GNU Make (like *BSD). + +Revert back to let configure generate the header file. Instead let make +add an extra CFLAG that defines PLUGIN_LIBDIR. + +Signed-off-by: Christian Hesse <m...@eworm.de> +Acked-by: Gert Doering <g...@greenie.muc.de> +Message-Id: <20170127084927.21040-1-l...@eworm.de> +URL: http://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13966.html +Signed-off-by: David Sommerseth <dav...@openvpn.net> +--- + configure.ac | 2 +- + include/Makefile.am | 7 ------- + include/openvpn-plugin.h.in | 2 -- + src/openvpn/Makefile.am | 4 +++- + 4 files changed, 4 insertions(+), 11 deletions(-) + +diff --git a/configure.ac b/configure.ac +index f305c54..b29f8b4 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -38,7 +38,7 @@ AC_DEFINE([OPENVPN_VERSION_MINOR], [PRODUCT_VERSION_MINOR], [OpenVPN minor versi + AC_DEFINE([OPENVPN_VERSION_PATCH], ["PRODUCT_VERSION_PATCH"], [OpenVPN patch level - may be a string or integer]) + + AC_CONFIG_AUX_DIR([.]) +-AC_CONFIG_HEADERS([config.h]) ++AC_CONFIG_HEADERS([config.h include/openvpn-plugin.h]) + AC_CONFIG_SRCDIR([src/openvpn/syshead.h]) + AC_CONFIG_MACRO_DIR([m4]) + +diff --git a/include/Makefile.am b/include/Makefile.am +index 37962a6..a52c427 100644 +--- a/include/Makefile.am ++++ b/include/Makefile.am +@@ -16,10 +16,3 @@ MAINTAINERCLEANFILES = \ + include_HEADERS = \ + openvpn-plugin.h \ + openvpn-msg.h +- +-openvpn-plugin.h: openvpn-plugin.h.in Makefile +- $(AM_V_GEN)sed -e 's|\@PLUGINDIR\@|$(plugindir)|' \ +- -e 's|\@OPENVPN_VERSION_MAJOR\@|$(OPENVPN_VERSION_MAJOR)|' \ +- -e 's|\@OPENVPN_VERSION_MINOR\@|$(OPENVPN_VERSION_MINOR)|' \ +- -e 's|\@OPENVPN_VERSION_PATCH\@|$(OPENVPN_VERSION_PATCH)|' \ +- $< > $@.tmp && mv $@.tmp $@ +diff --git a/include/openvpn-plugin.h.in b/include/openvpn-plugin.h.in +index a084fc1..0b30352 100644 +--- a/include/openvpn-plugin.h.in ++++ b/include/openvpn-plugin.h.in +@@ -27,8 +27,6 @@ + + #define OPENVPN_PLUGIN_VERSION 3 + +-#define PLUGIN_LIBDIR "@PLUGINDIR@" +- + #ifdef ENABLE_CRYPTO + #ifdef ENABLE_CRYPTO_MBEDTLS + #include <mbedtls/x509_crt.h> +diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am +index bea294b..3f97855 100644 +--- a/src/openvpn/Makefile.am ++++ b/src/openvpn/Makefile.am +@@ -27,7 +27,9 @@ AM_CFLAGS = \ + $(OPTIONAL_CRYPTO_CFLAGS) \ + $(OPTIONAL_LZO_CFLAGS) \ + $(OPTIONAL_LZ4_CFLAGS) \ +- $(OPTIONAL_PKCS11_HELPER_CFLAGS) ++ $(OPTIONAL_PKCS11_HELPER_CFLAGS) \ ++ -DPLUGIN_LIBDIR=\"${plugindir}\" ++ + if WIN32 + # we want unicode entry point but not the macro + AM_CFLAGS += -municode -UUNICODE Deleted: 0001-plugin.patch =================================================================== --- 0001-plugin.patch 2017-02-25 13:19:55 UTC (rev 289529) +++ 0001-plugin.patch 2017-02-25 14:12:40 UTC (rev 289530) @@ -1,46 +0,0 @@ -diff --git a/configure.ac b/configure.ac -index f4073d0..5fe652e 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -301,13 +301,12 @@ AC_ARG_WITH( - [with_crypto_library="openssl"] - ) - --AC_ARG_WITH( -- [plugindir], -- [AS_HELP_STRING([--with-plugindir], [plugin directory @<:@default=LIBDIR/openvpn@:>@])], -- , -- [with_plugindir="\$(libdir)/openvpn/plugins"] --) -- -+AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory @<:@default=LIBDIR/openvpn/plugins@:>@]) -+if test -n "${PLUGINDIR}"; then -+ plugindir="${PLUGINDIR}" -+else -+ plugindir="\${libdir}/openvpn/plugins" -+fi - - AC_DEFINE_UNQUOTED([TARGET_ALIAS], ["${host}"], [A string representing our host]) - case "$host" in -@@ -1245,7 +1244,6 @@ AM_CONDITIONAL([ENABLE_PLUGIN_AUTH_PAM], [test "${enable_plugin_auth_pam}" = "ye - AM_CONDITIONAL([ENABLE_PLUGIN_DOWN_ROOT], [test "${enable_plugin_down_root}" = "yes"]) - AM_CONDITIONAL([ENABLE_CRYPTO], [test "${enable_crypto}" = "yes"]) - --plugindir="${with_plugindir}" - sampledir="\$(docdir)/sample" - AC_SUBST([plugindir]) - AC_SUBST([sampledir]) -diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am -index 4c18449..188834a 100644 ---- a/src/openvpn/Makefile.am -+++ b/src/openvpn/Makefile.am -@@ -27,7 +27,8 @@ AM_CFLAGS = \ - $(OPTIONAL_CRYPTO_CFLAGS) \ - $(OPTIONAL_LZO_CFLAGS) \ - $(OPTIONAL_LZ4_CFLAGS) \ -- $(OPTIONAL_PKCS11_HELPER_CFLAGS) -+ $(OPTIONAL_PKCS11_HELPER_CFLAGS) \ -+ -DPLUGIN_LIBDIR=\"${plugindir}\" - if WIN32 - # we want unicode entry point but not the macro - AM_CFLAGS += -municode -UUNICODE Modified: 0002-do-not-race-on-RuntimeDirectory.patch =================================================================== --- 0002-do-not-race-on-RuntimeDirectory.patch 2017-02-25 13:19:55 UTC (rev 289529) +++ 0002-do-not-race-on-RuntimeDirectory.patch 2017-02-25 14:12:40 UTC (rev 289530) @@ -1,8 +1,151 @@ -From 3e8b360cca4d97bef113a25f982601d4742af896 Mon Sep 17 00:00:00 2001 +From ca5b4c2aad2370be7862660d274b7485f2d0af71 Mon Sep 17 00:00:00 2001 From: Christian Hesse <m...@eworm.de> -Date: Fri, 16 Dec 2016 22:56:15 +0100 -Subject: [PATCH 1/1] do not race on RuntimeDirectory +Date: Tue, 24 Jan 2017 15:39:46 +0100 +Subject: [PATCH 1/2] systemd: Use automake tools to install unit files +If systemd is enabled we install unit files to $libdir/systemd/system +(or the path specified by SYSTEMD_UNIT_DIR). +The unit files are generated on the fly with matching $sbindir. + +Signed-off-by: Christian Hesse <m...@eworm.de> +Acked-by: David Sommerseth <dav...@openvpn.net> +Message-Id: <20170124143947.27385-1-l...@eworm.de> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13940.html +Signed-off-by: David Sommerseth <dav...@openvpn.net> +--- + configure.ac | 10 +++++++++ + distro/Makefile.am | 4 +--- + distro/systemd/Makefile.am | 26 ++++++++++++++++++++++ + ...-client@.service => openvpn-cli...@.service.in} | 2 +- + ...-server@.service => openvpn-ser...@.service.in} | 2 +- + 6 files changed, 40 insertions(+), 5 deletions(-) + create mode 100644 distro/systemd/Makefile.am + rename distro/systemd/{openvpn-client@.service => openvpn-cli...@.service.in} (90%) + rename distro/systemd/{openvpn-server@.service => openvpn-ser...@.service.in} (91%) + +diff --git a/configure.ac b/configure.ac +index 8783109..48d8f0c 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -378,6 +378,7 @@ AC_ARG_VAR([NETSTAT], [path to netstat utility]) # tests + AC_ARG_VAR([MAN2HTML], [path to man2html utility]) + AC_ARG_VAR([GIT], [path to git utility]) + AC_ARG_VAR([SYSTEMD_ASK_PASSWORD], [path to systemd-ask-password utility]) ++AC_ARG_VAR([SYSTEMD_UNIT_DIR], [Path of systemd unit directory @<:@default=LIBDIR/systemd/system@:>@]) + AC_PATH_PROGS([IFCONFIG], [ifconfig],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin]) + AC_PATH_PROGS([ROUTE], [route],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin]) + AC_PATH_PROGS([IPROUTE], [ip],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin]) +@@ -1099,6 +1100,12 @@ if test "$enable_systemd" = "yes" ; then + OPTIONAL_SYSTEMD_LIBS="${libsystemd_LIBS}" + AC_DEFINE(ENABLE_SYSTEMD, 1, [Enable systemd integration]) + LIBS="${saved_LIBS}" ++ ++ if test -n "${SYSTEMD_UNIT_DIR}"; then ++ systemdunitdir="${SYSTEMD_UNIT_DIR}" ++ else ++ systemdunitdir="\${libdir}/systemd/system" ++ fi + fi + + +@@ -1275,6 +1282,8 @@ sampledir="\$(docdir)/sample" + AC_SUBST([plugindir]) + AC_SUBST([sampledir]) + ++AC_SUBST([systemdunitdir]) ++ + VENDOR_SRC_ROOT="\$(abs_top_srcdir)/vendor/" + VENDOR_DIST_ROOT="\$(abs_top_builddir)/vendor/dist" + VENDOR_BUILD_ROOT="\$(abs_top_builddir)/vendor/.build" +@@ -1313,6 +1322,7 @@ AC_CONFIG_FILES([ + distro/Makefile + distro/rpm/Makefile + distro/rpm/openvpn.spec ++ distro/systemd/Makefile + include/Makefile + src/Makefile + src/compat/Makefile +diff --git a/distro/Makefile.am b/distro/Makefile.am +index 7a9ffd0..eb0e554 100644 +--- a/distro/Makefile.am ++++ b/distro/Makefile.am +@@ -12,6 +12,4 @@ + MAINTAINERCLEANFILES = \ + $(srcdir)/Makefile.in + +-SUBDIRS = rpm +- +-EXTRA_DIST = systemd/openvpn-client@.service systemd/openvpn-server@.service ++SUBDIRS = rpm systemd +diff --git a/distro/systemd/Makefile.am b/distro/systemd/Makefile.am +new file mode 100644 +index 0000000..b10c6ed +--- /dev/null ++++ b/distro/systemd/Makefile.am +@@ -0,0 +1,26 @@ ++# ++# OpenVPN -- An application to securely tunnel IP networks ++# over a single UDP port, with support for SSL/TLS-based ++# session authentication and key exchange, ++# packet encryption, packet authentication, and ++# packet compression. ++# ++# Copyright (C) 2017 OpenVPN Technologies, Inc. <sa...@openvpn.net> ++# ++ ++%.service: %.service.in Makefile ++ $(AM_V_GEN)sed -e 's|\@sbindir\@|$(sbindir)|' \ ++ $< > $@.tmp && mv $@.tmp $@ ++ ++EXTRA_DIST = \ ++ openvpn-cli...@.service.in \ ++ openvpn-ser...@.service.in ++ ++if ENABLE_SYSTEMD ++systemdunit_DATA = \ ++ openvpn-client@.service \ ++ openvpn-server@.service ++endif ++ ++MAINTAINERCLEANFILES = \ ++ $(srcdir)/Makefile.in +diff --git a/distro/systemd/openvpn-client@.service b/distro/systemd/openvpn-cli...@.service.in +similarity index 90% +rename from distro/systemd/openvpn-client@.service +rename to distro/systemd/openvpn-cli...@.service.in +index 5618af3..d933772 100644 +--- a/distro/systemd/openvpn-client@.service ++++ b/distro/systemd/openvpn-cli...@.service.in +@@ -12,7 +12,7 @@ PrivateTmp=true + RuntimeDirectory=openvpn-client + RuntimeDirectoryMode=0710 + WorkingDirectory=/etc/openvpn/client +-ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf ++ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf + CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE + LimitNPROC=10 + DeviceAllow=/dev/null rw +diff --git a/distro/systemd/openvpn-server@.service b/distro/systemd/openvpn-ser...@.service.in +similarity index 91% +rename from distro/systemd/openvpn-server@.service +rename to distro/systemd/openvpn-ser...@.service.in +index b9b4dba..da5c78e 100644 +--- a/distro/systemd/openvpn-server@.service ++++ b/distro/systemd/openvpn-ser...@.service.in +@@ -12,7 +12,7 @@ PrivateTmp=true + RuntimeDirectory=openvpn-server + RuntimeDirectoryMode=0710 + WorkingDirectory=/etc/openvpn/server +-ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf ++ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf + CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE + LimitNPROC=10 + DeviceAllow=/dev/null rw +From 3de7be7b17de879a78eea4afe4c918c6104c635d Mon Sep 17 00:00:00 2001 +From: Christian Hesse <m...@eworm.de> +Date: Tue, 24 Jan 2017 15:39:47 +0100 +Subject: [PATCH 2/2] systemd: Do not race on RuntimeDirectory + Different unit instances create and destroy the same RuntimeDirectory. This leads to running instances where the status file (and possibly more runtime data) is no longer accessible. @@ -13,17 +156,80 @@ As /run is volatile we do not have to care about cleanup. Signed-off-by: Christian Hesse <m...@eworm.de> +Acked-by: David Sommerseth <dav...@openvpn.net> +Message-Id: <20170124143947.27385-2-l...@eworm.de> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13939.html +Signed-off-by: David Sommerseth <dav...@openvpn.net> --- - distro/systemd/openvpn-client@.service | 2 -- - distro/systemd/openvpn-server@.service | 2 -- - distro/systemd/openvpn.conf | 2 ++ - 3 files changed, 2 insertions(+), 4 deletions(-) - create mode 100644 distro/systemd/openvpn.conf + configure.ac | 8 ++++++++ + distro/systemd/Makefile.am | 6 ++++++ + distro/systemd/openvpn-cli...@.service.in | 2 -- + distro/systemd/openvpn-ser...@.service.in | 2 -- + distro/systemd/tmpfiles-openvpn.conf | 2 ++ + 5 files changed, 16 insertions(+), 4 deletions(-) + create mode 100644 distro/systemd/tmpfiles-openvpn.conf -diff --git a/distro/systemd/openvpn-client@.service b/distro/systemd/openvpn-client@.service -index 5618af3..1187ee8 100644 ---- a/distro/systemd/openvpn-client@.service -+++ b/distro/systemd/openvpn-client@.service +diff --git a/configure.ac b/configure.ac +index 48d8f0c..79fb1ba 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -379,6 +379,7 @@ AC_ARG_VAR([MAN2HTML], [path to man2html utility]) + AC_ARG_VAR([GIT], [path to git utility]) + AC_ARG_VAR([SYSTEMD_ASK_PASSWORD], [path to systemd-ask-password utility]) + AC_ARG_VAR([SYSTEMD_UNIT_DIR], [Path of systemd unit directory @<:@default=LIBDIR/systemd/system@:>@]) ++AC_ARG_VAR([TMPFILES_DIR], [Path of tmpfiles directory @<:@default=LIBDIR/tmpfiles.d@:>@]) + AC_PATH_PROGS([IFCONFIG], [ifconfig],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin]) + AC_PATH_PROGS([ROUTE], [route],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin]) + AC_PATH_PROGS([IPROUTE], [ip],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin]) +@@ -1106,6 +1107,12 @@ if test "$enable_systemd" = "yes" ; then + else + systemdunitdir="\${libdir}/systemd/system" + fi ++ ++ if test -n "${TMPFILES_DIR}"; then ++ tmpfilesdir="${TMPFILES_DIR}" ++ else ++ tmpfilesdir="\${libdir}/tmpfiles.d" ++ fi + fi + + +@@ -1283,6 +1290,7 @@ AC_SUBST([plugindir]) + AC_SUBST([sampledir]) + + AC_SUBST([systemdunitdir]) ++AC_SUBST([tmpfilesdir]) + + VENDOR_SRC_ROOT="\$(abs_top_srcdir)/vendor/" + VENDOR_DIST_ROOT="\$(abs_top_builddir)/vendor/dist" +diff --git a/distro/systemd/Makefile.am b/distro/systemd/Makefile.am +index b10c6ed..1e3f3ea 100644 +--- a/distro/systemd/Makefile.am ++++ b/distro/systemd/Makefile.am +@@ -13,6 +13,7 @@ + $< > $@.tmp && mv $@.tmp $@ + + EXTRA_DIST = \ ++ tmpfiles-openvpn.conf \ + openvpn-cli...@.service.in \ + openvpn-ser...@.service.in + +@@ -20,6 +21,11 @@ if ENABLE_SYSTEMD + systemdunit_DATA = \ + openvpn-client@.service \ + openvpn-server@.service ++tmpfiles_DATA = \ ++ tmpfiles-openvpn.conf ++ ++install-data-hook: ++ mv $(DESTDIR)$(tmpfilesdir)/tmpfiles-openvpn.conf $(DESTDIR)$(tmpfilesdir)/openvpn.conf + endif + + MAINTAINERCLEANFILES = \ +diff --git a/distro/systemd/openvpn-cli...@.service.in b/distro/systemd/openvpn-cli...@.service.in +index d933772..1be1e33 100644 +--- a/distro/systemd/openvpn-cli...@.service.in ++++ b/distro/systemd/openvpn-cli...@.service.in @@ -9,8 +9,6 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service] Type=notify @@ -31,12 +237,12 @@ -RuntimeDirectory=openvpn-client -RuntimeDirectoryMode=0710 WorkingDirectory=/etc/openvpn/client - ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf + ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE -diff --git a/distro/systemd/openvpn-server@.service b/distro/systemd/openvpn-server@.service -index b9b4dba..25a6bb7 100644 ---- a/distro/systemd/openvpn-server@.service -+++ b/distro/systemd/openvpn-server@.service +diff --git a/distro/systemd/openvpn-ser...@.service.in b/distro/systemd/openvpn-ser...@.service.in +index da5c78e..3dccaf2 100644 +--- a/distro/systemd/openvpn-ser...@.service.in ++++ b/distro/systemd/openvpn-ser...@.service.in @@ -9,8 +9,6 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service] Type=notify @@ -44,16 +250,13 @@ -RuntimeDirectory=openvpn-server -RuntimeDirectoryMode=0710 WorkingDirectory=/etc/openvpn/server - ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf + ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE -diff --git a/distro/systemd/openvpn.conf b/distro/systemd/openvpn.conf +diff --git a/distro/systemd/tmpfiles-openvpn.conf b/distro/systemd/tmpfiles-openvpn.conf new file mode 100644 index 0000000..bb79671 --- /dev/null -+++ b/distro/systemd/openvpn.conf ++++ b/distro/systemd/tmpfiles-openvpn.conf @@ -0,0 +1,2 @@ +d /run/openvpn-client 0710 root root - +d /run/openvpn-server 0710 root root - --- -2.11.0 - Deleted: 0003-fix-timeout-in-non-TLS-mode-with-systemd.patch =================================================================== --- 0003-fix-timeout-in-non-TLS-mode-with-systemd.patch 2017-02-25 13:19:55 UTC (rev 289529) +++ 0003-fix-timeout-in-non-TLS-mode-with-systemd.patch 2017-02-25 14:12:40 UTC (rev 289530) @@ -1,59 +0,0 @@ -From 8fe76deb35364aa0d71b3e771b4a12491a037764 Mon Sep 17 00:00:00 2001 -From: Christian Hesse <m...@eworm.de> -Date: Wed, 28 Dec 2016 13:57:11 +0100 -Subject: [PATCH 1/1] fix timeout in non-TLS mode with systemd - -In non-TLS configuration we wait for the remote peer to connect -before issuing "Initialization Sequence Completed". So prevent to -time out by telling systemd service manager we are ready for now. -Status will be "Non-TLS mode, ready for now. Waiting for peer..." -and changes once the remote peer connects. - -This fixes #801 (static key tunnels impossible to start via systemd) - -Tested-by: Mantas Mikulėnas <graw...@gmail.com> -Signed-off-by: Christian Hesse <m...@eworm.de> ---- - src/openvpn/openvpn.c | 19 +++++++++++++++++++ - 1 file changed, 19 insertions(+) - -diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c -index 888acda..ae948f9 100644 ---- a/src/openvpn/openvpn.c -+++ b/src/openvpn/openvpn.c -@@ -30,6 +30,10 @@ - - #include "syshead.h" - -+#ifdef ENABLE_SYSTEMD -+#include <systemd/sd-daemon.h> -+#endif -+ - #include "init.h" - #include "forward.h" - #include "multi.h" -@@ -73,6 +77,21 @@ tunnel_point_to_point(struct context *c) - return; - } - -+#ifdef ENABLE_SYSTEMD -+ /* In non-TLS configuration we wait for the remote peer to connect -+ * before issuing "Initialization Sequence Completed". So prevent to -+ * time out by telling systemd service manager we are ready for now. -+ * Status will be "Non-TLS mode, ready for now. Waiting for peer..." -+ * and changes once the remote peer connects. */ -+ if (c->options.tls_client == false -+ && c->options.tls_server == false) -+ { -+ sd_notifyf(0, "READY=1\n" -+ "STATUS=Non-TLS mode, ready for now. Waiting for peer...\n" -+ "MAINPID=%lu", (unsigned long) getpid()); -+ } -+#endif -+ - /* main event loop */ - while (true) - { --- -2.11.0 - Added: 0003-systemd-Move-the-READY-1-signalling-to-an-earlier-po.patch =================================================================== --- 0003-systemd-Move-the-READY-1-signalling-to-an-earlier-po.patch (rev 0) +++ 0003-systemd-Move-the-READY-1-signalling-to-an-earlier-po.patch 2017-02-25 14:12:40 UTC (rev 289530) @@ -0,0 +1,124 @@ +From e83a8684f0a0d944e9d53cdad2b543cfd1b6fbae Mon Sep 17 00:00:00 2001 +From: David Sommerseth <dav...@openvpn.net> +Date: Wed, 25 Jan 2017 00:23:44 +0100 +Subject: [PATCH 1/2] systemd: Move the READY=1 signalling to an earlier + point + +Currently, OpenVPN will first tell systemd it is ready once the +log will be appended with "Initialization Sequence Completed". +This turns out to cause some issues several places. + +First, it adds challenges if --chroot is used in the configuration; +this is already fixed. Secondly, it will cause havoc on static key +p2p mode configurations where the log line above will not happen +before either sides have completed establishing a connection. And +thirdly, if a client configuration fails to establish a connection +within 90 seconds, it will also fail. For the third case this may +not be a critical issue itself, as the host just needs to get +an Internet access established first - which in some scenarios may +take much longer than those 90 seconds systemd grants after the +OpenVPN client configuration is started. + +The approach this patch takes is to consider OpenVPN ready when +all the initial preparations and configurations have completed - but +before a connection to a remote side have been attempted. This +also removes the need for specially handling the --chroot scenario. + +The final "Initialization Sequence Completed" message update is +kept (though slightly simplified) to indicate we're in a good +state - even though this update will not be visible if --chroot +is used (which was the situation also before this patch). + +Trac: #827, #801 +Signed-off-by: David Sommerseth <dav...@openvpn.net> +Acked-by: Gert Doering <g...@greenie.muc.de> +Acked-by: Christian Hesse <m...@eworm.de> +Message-Id: <20170124232344.7825-1-dav...@openvpn.net> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13945.html +Signed-off-by: David Sommerseth <dav...@openvpn.net> +Signed-off-by: Christian Hesse <m...@eworm.de> +--- + src/openvpn/init.c | 29 ++++++++++------------------- + 1 file changed, 10 insertions(+), 19 deletions(-) + +diff --git a/src/openvpn/init.c b/src/openvpn/init.c +index 756bf36..ff1551e 100644 +--- a/src/openvpn/init.c ++++ b/src/openvpn/init.c +@@ -562,6 +562,15 @@ context_init_1(struct context *c) + } + #endif + ++#ifdef ENABLE_SYSTEMD ++ /* We can report the PID via getpid() to systemd here as OpenVPN will not ++ * do any fork due to daemon() a future call. ++ * See possibly_become_daemon() [init.c] for more details. ++ */ ++ sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization succesfull\nMAINPID=%lu", ++ (unsigned long) getpid()); ++#endif ++ + } + + void +@@ -1042,24 +1051,6 @@ do_uid_gid_chroot(struct context *c, bool no_delay) + { + if (no_delay) + { +-#ifdef ENABLE_SYSTEMD +- /* If OpenVPN is started by systemd, the OpenVPN process needs +- * to provide a preliminary status report to systemd. This is +- * needed as $NOTIFY_SOCKET will not be available inside the +- * chroot, which sd_notify()/sd_notifyf() depends on. +- * +- * This approach is the simplest and the most non-intrusive +- * solution right before the 2.4_rc2 release. +- * +- * TODO: Consider altnernative solutions - bind mount? +- * systemd does not grok OpenVPN configuration files, thus cannot +- * have a sane way to know if OpenVPN will chroot or not and to +- * which subdirectory it will chroot into. +- */ +- sd_notifyf(0, "READY=1\n" +- "STATUS=Entering chroot, most of the init completed successfully\n" +- "MAINPID=%lu", (unsigned long) getpid()); +-#endif + platform_chroot(c->options.chroot_dir); + } + else if (c->first_time) +@@ -1409,7 +1400,7 @@ initialization_sequence_completed(struct context *c, const unsigned int flags) + else + { + #ifdef ENABLE_SYSTEMD +- sd_notifyf(0, "READY=1\nSTATUS=%s\nMAINPID=%lu", message, (unsigned long) getpid()); ++ sd_notifyf(0, "STATUS=%s", message); + #endif + msg(M_INFO, "%s", message); + } +From b13bc6c9570e00d12e26bb3b8e5bf9bdb0b16eff Mon Sep 17 00:00:00 2001 +From: Christian Hesse <m...@eworm.de> +Date: Fri, 24 Feb 2017 13:22:52 +0100 +Subject: [PATCH 2/2] fix typo in notification message + +Signed-off-by: Christian Hesse <m...@eworm.de> +Acked-by: Gert Doering <g...@greenie.muc.de> +Message-Id: <20170224122252.15199-1-l...@eworm.de> +URL: http://www.mail-archive.com/search?l=mid&q=20170224122252.15199-1-l...@eworm.de +Signed-off-by: Gert Doering <g...@greenie.muc.de> +--- + src/openvpn/init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/openvpn/init.c b/src/openvpn/init.c +index ff1551e..7da0061 100644 +--- a/src/openvpn/init.c ++++ b/src/openvpn/init.c +@@ -567,7 +567,7 @@ context_init_1(struct context *c) + * do any fork due to daemon() a future call. + * See possibly_become_daemon() [init.c] for more details. + */ +- sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization succesfull\nMAINPID=%lu", ++ sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu", + (unsigned long) getpid()); + #endif + Modified: PKGBUILD =================================================================== --- PKGBUILD 2017-02-25 13:19:55 UTC (rev 289529) +++ PKGBUILD 2017-02-25 14:12:40 UTC (rev 289530) @@ -15,26 +15,26 @@ validpgpkeys=('03300E11FED16F59715F9996C29D97ED198D22A3' # Samuli Seppänen <samuli.seppa...@gmail.com> '7ACD56B74144925C6214329757DB9DAB613B8DA1') # David Sommerseth (OpenVPN Technologies, Inc) <dav...@openvpn.net> source=("https://swupdate.openvpn.net/community/releases/openvpn-${pkgver}.tar.xz"{,.asc} - '0001-plugin.patch' + '0001-Clean-up-plugin-path-handling.patch' '0002-do-not-race-on-RuntimeDirectory.patch' - '0003-fix-timeout-in-non-TLS-mode-with-systemd.patch') + '0003-systemd-Move-the-READY-1-signalling-to-an-earlier-po.patch') sha256sums=('6f23ba49a1dbeb658f49c7ae17d9ea979de6d92c7357de3d55cd4525e1b2f87e' 'SKIP' - 'b8254067b4ef5d157d87267a76938d86f101972303c7ff20131cc9f28659a30c' - 'a87b081f998db99190e8b9e185cd7aade5bd6dfb5c03777c82b75d28cd3b375c' - '1b0ff78390dd5e79ce6966fd7fee54d42f6f3622cf8078d8b0f9998046e6b73b') + '162a21f78fc83071643341fb4198092d7d81b8196573d53ce43548424d757be2' + '58ee9d2f4d8a74c3dec037265b84963171f76f9fb6689a529728cdc76fac30dd' + 'ae8fd591c05c04ad4b500494c55df242f3a2309f2af579b45820ce9959f1df06') prepare() { cd "${srcdir}"/${pkgname}-${pkgver} - # plugin path - patch -Np1 < "${srcdir}"/0001-plugin.patch + # Clean up plugin path handling + patch -Np1 < "${srcdir}"/0001-Clean-up-plugin-path-handling.patch # do not race on RuntimeDirectory patch -Np1 < "${srcdir}"/0002-do-not-race-on-RuntimeDirectory.patch - # fix timeout in non-TLS mode with systemd - patch -Np1 < "${srcdir}"/0003-fix-timeout-in-non-TLS-mode-with-systemd.patch + # systemd: Move the READY=1 signalling to an earlier point + patch -Np1 < "${srcdir}"/0003-systemd-Move-the-READY-1-signalling-to-an-earlier-po.patch # regenerate configure script autoreconf -fi @@ -84,11 +84,5 @@ *) install -D -m0644 "${FILE}" "${pkgdir}/usr/share/openvpn/${FILE}" ;; esac done - - # Install systemd files - install -d -m0755 "${pkgdir}"/usr/lib/systemd/system/ - install -m0644 distro/systemd/openvpn-{client,server}@.service "${pkgdir}"/usr/lib/systemd/system/ - install -D -m0644 distro/systemd/openvpn.conf "${pkgdir}"/usr/lib/tmpfiles.d/openvpn.conf - install -d -m0710 "${pkgdir}"/run/openvpn-{client,server} }